Identity Management, GDPR & Cybersecurity News | 5.10.2018

Controlling who has access to data can go a long way toward compliance. Single sign-on (SSO) and two-factor/multifactor (2FA/MFA) authentication are crucial tools in keeping a lid on access to confidential information. With MFA, end users validate their identity in multiple ways, often through a piece of information only they know. This type of access management and control is essential to keep IT systems compliant. Identity and access management (IAM) goes beyond 2FA/MFA and includes central credential management, policy-based rules and SSO for end users, including partners, to keep internal systems and customer systems protected and compliant. Read more…

Identity governance is essential to maintain security and productivity as organizations transition to the cloud. This is not only critical for the migration itself, but afterwards identity governance helps companies establish centralized lifecycle management of access across all users, applications and data. Identity governance is about managing and controlling the identities that have access to sensitive data, no matter where it resides, and giving organizations the ability to answer three important security questions: who has access to what, who should have access, and how is that access being used? Read more…

Companies are developing new ways to verify identity and access to sensitive data using authenticators that evolve, change and update over time. Messaging giant WhatsApp, for example, has implemented end-to-end encryptionon its platform and across all mobile platforms so users data is held in a decentralized location. This means that the content of communications are not stored in plaintext on WhatsApp’s servers, nor is the company able to decrypt users’ messages to access them since it does not hold the encryption keys. Read more…

Cloud applications, including Microsoft Office 365 and SalesForce, are now an imperative for most businesses. These essential apps work best with an authoritative source of identity data. However, this is a major challenge in complex environments where users’ identities are stored in diverse data sources. There may be users outside of Active Directory—including LDAP directories and databases—that need access to the cloud as well. Read more…

"While regtech is mainly aimed at addressing compliance, risk management, regulatory reporting and transactions monitoring, the focus in SA has been largely on identity management. "These technologies enable financial services firms to design better customer experiences and make the regulatory checks seamless and less cumbersome for customers. They also allow banks, asset managers and insurers to more adequately assess and monitor risk, which ultimately helps them streamline processes and reduce costs," explains Collett. Read more…

No, I’m not declaring another thing in identity management dead. Instead, I’d like you to join me in exploring something that has been bugging me quite a bit lately. Risk-based Authenticationcan cover a spectrum of capabilities, but most generically it is a passiveauthentication factor that tries to measure the risk of a particular interaction (transaction, request for access, etc), and determine if the authentication done so far is sufficient, or it needs to be supplemented by additional challenges. It will typically take into account various pieces of information that can be gathered silently (in other words, working behind the scenes without forcing the user to do anything explicitly or even realize anything is happening) from the context of the interaction. Examples of information used would be information about the device, about the environment (like IP address, time of day, geolocation), about the user behavior (way they are holding the device, typing speed), and the transaction itself (checking balances or moving money, buying goods above a certain amount or of a certain type). At a high level, risk-based authentication will return a risk scorethat the enterprise needs to understand and determine if the risk score is above a threshold that requires that they invoke an additional activeauthentication factor (like a SMS-based OTP or an authenticator code). Read more…